Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Cyber-criminals injected JavaScript code to divert visitors from MySQL.com to a malicious site hosting BlackHole malware toolkit in a drive-by-download attack.

Unknown attackers compromised the main Website of open-source database MySQL and served malware to unsuspecting visitors for a short period of time on Sept. 26.

Attackers injected JavaScript code on MySQL.com, owned by Oracle, to divert visitors to malicious Websites hosting the BlackHole exploit kit, which automatically downloaded malware to the victimized computers, according to Wayne Huange, founder, president and CEO of Armorize Technologies. The company said the attack has been disabled and the site is no longer serving up malware.

The main page of MySQL.com was compromised to force visitors to load a JavaScript file, Huang wrote on the Armorize blog. The file created an IFRAME that redirected the victim unknowingly to a page hosted at falosfax.in, hosted in Florida and again to a .cx.cc domain hosted in Sweden. Once on the page, the BlackHole kit hosted on the site exploited the user's Web browser and installed plug-ins to download malware. Attackers modified a JavaScript file used by the Omniture SiteCatalyst plug-in, used to track Website metrics, for this attack.

"The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection," Huang wrote.

Further reading

BlackHole is a widely used kit that contains pre-loaded exploits for vulnerabilities in Web browsers and in other Web components and plug-ins, such as Flash Player, Adobe Reader and Java. It takes advantage of unpatched software to compromise the machine. The drive-by-download attack is a common technique and often relies on JavaScript to silently redirect users to malicious sites without their knowing.

Eight out of 44 major security vendors currently detect the malware, according to malware tracker VirusTotal.

Trend Micro researchers found evidence that attackers were selling root access to some of the cluster servers of mysql.com and its subdomains on underground criminal forums. The seller was offering a shell console window with root access to these servers for $3,000, Maxim Goncharov, a senior threat researcher at Trend Micro wrote on the Malware blog.

It appears that the site was initially compromised by a JavaScript malware which is often related to stolen FTP passwords, according to researchers at Sucuri Security. The malware likely compromised a computer belonging to a member of the MySQL.com team and stole the password from the FTP client, Sucuri researchers wrote on the blog.

MySQL is an open-source database that originally was owned by an independent entity, but was purchased by Sun Microsystems in 2008. It later became part of Oracle when that company bought Sun in 2009. Trend Micro's Goncharov said the team contacted MySQL last week but hadn't received a response. The site appeared to be serving up malware for about a three-hour window in the middle of the day.

With root access available for sale, it is possible that the malicious perpetrator who originally compromised mysql.com is not the one responsible for the BlackHole attack that served up malware on the site.